From c159181d2773396e24449e91d472d8fedc4b5e98 Mon Sep 17 00:00:00 2001
From: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>
Date: Tue, 24 Feb 2026 13:06:34 +0100
Subject: [PATCH] feat(api): add Image provider support for container image
scanning (#10128)
---
api/CHANGELOG.md | 1 +
api/Dockerfile | 2 +-
.../api/migrations/0083_image_provider.py | 38 ++
api/src/backend/api/models.py | 10 +
api/src/backend/api/tests/test_serializers.py | 35 ++
api/src/backend/api/tests/test_utils.py | 160 +++++++
api/src/backend/api/utils.py | 49 ++-
api/src/backend/api/v1/serializers.py | 26 ++
api/src/backend/tasks/jobs/export.py | 1 +
poetry.lock | 4 +-
prowler/lib/check/checks_loader.py | 4 +-
prowler/lib/outputs/finding.py | 8 +-
prowler/lib/outputs/html/html.py | 50 +++
prowler/lib/scan/scan.py | 86 +++-
prowler/providers/common/provider.py | 13 -
prowler/providers/image/image_provider.py | 217 +++++++---
prowler/providers/image/lib/registry/base.py | 38 +-
.../image/lib/registry/dockerhub_adapter.py | 8 +-
tests/lib/outputs/html/html_test.py | 88 +++-
tests/providers/image/image_fixtures.py | 55 ++-
tests/providers/image/image_provider_test.py | 397 ++++++++++--------
.../lib/registry/test_dockerhub_adapter.py | 82 +++-
.../image/lib/registry/test_oci_adapter.py | 30 +-
.../lib/registry/test_provider_registry.py | 22 +-
24 files changed, 1120 insertions(+), 304 deletions(-)
create mode 100644 api/src/backend/api/migrations/0083_image_provider.py
diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md
index 63034c4352..dd239a00e6 100644
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -9,6 +9,7 @@ All notable changes to the **Prowler API** are documented in this file.
- Finding group summaries and resources endpoints for hierarchical findings views [(#9961)](https://github.com/prowler-cloud/prowler/pull/9961)
- OpenStack provider support [(#10003)](https://github.com/prowler-cloud/prowler/pull/10003)
- PDF report for the CSA CCM compliance framework [(#10088)](https://github.com/prowler-cloud/prowler/pull/10088)
+- `image` provider support for container image scanning [(#10128)](https://github.com/prowler-cloud/prowler/pull/10128)
### 🔄 Changed
diff --git a/api/Dockerfile b/api/Dockerfile
index a4d5d177cf..43abe7d82d 100644
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -5,7 +5,7 @@ LABEL maintainer="https://github.com/prowler-cloud/api"
ARG POWERSHELL_VERSION=7.5.0
ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
-ARG TRIVY_VERSION=0.66.0
+ARG TRIVY_VERSION=0.69.1
ENV TRIVY_VERSION=${TRIVY_VERSION}
# hadolint ignore=DL3008
diff --git a/api/src/backend/api/migrations/0083_image_provider.py b/api/src/backend/api/migrations/0083_image_provider.py
new file mode 100644
index 0000000000..936fae2219
--- /dev/null
+++ b/api/src/backend/api/migrations/0083_image_provider.py
@@ -0,0 +1,38 @@
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+ dependencies = [
+ ("api", "0082_backfill_finding_group_summaries"),
+ ]
+
+ operations = [
+ migrations.AlterField(
+ model_name="provider",
+ name="provider",
+ field=api.db_utils.ProviderEnumField(
+ choices=[
+ ("aws", "AWS"),
+ ("azure", "Azure"),
+ ("gcp", "GCP"),
+ ("kubernetes", "Kubernetes"),
+ ("m365", "M365"),
+ ("github", "GitHub"),
+ ("mongodbatlas", "MongoDB Atlas"),
+ ("iac", "IaC"),
+ ("oraclecloud", "Oracle Cloud Infrastructure"),
+ ("alibabacloud", "Alibaba Cloud"),
+ ("cloudflare", "Cloudflare"),
+ ("openstack", "OpenStack"),
+ ("image", "Image"),
+ ],
+ default="aws",
+ ),
+ ),
+ migrations.RunSQL(
+ "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'image';",
+ reverse_sql=migrations.RunSQL.noop,
+ ),
+ ]
diff --git a/api/src/backend/api/models.py b/api/src/backend/api/models.py
index 882abeb7b2..1f82c4a7da 100644
--- a/api/src/backend/api/models.py
+++ b/api/src/backend/api/models.py
@@ -292,6 +292,7 @@ class Provider(RowLevelSecurityProtectedModel):
ALIBABACLOUD = "alibabacloud", _("Alibaba Cloud")
CLOUDFLARE = "cloudflare", _("Cloudflare")
OPENSTACK = "openstack", _("OpenStack")
+ IMAGE = "image", _("Image")
@staticmethod
def validate_aws_uid(value):
@@ -426,6 +427,15 @@ class Provider(RowLevelSecurityProtectedModel):
pointer="/data/attributes/uid",
)
+ @staticmethod
+ def validate_image_uid(value):
+ if not re.match(r"^[a-zA-Z0-9][a-zA-Z0-9._/:@-]{2,249}$", value):
+ raise ModelValidationError(
+ detail="Image provider ID must be a valid container image reference.",
+ code="image-uid",
+ pointer="/data/attributes/uid",
+ )
+
id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
updated_at = models.DateTimeField(auto_now=True, editable=False)
diff --git a/api/src/backend/api/tests/test_serializers.py b/api/src/backend/api/tests/test_serializers.py
index a52b3464d8..5810a97b63 100644
--- a/api/src/backend/api/tests/test_serializers.py
+++ b/api/src/backend/api/tests/test_serializers.py
@@ -2,6 +2,7 @@ import pytest
from rest_framework.exceptions import ValidationError
from api.v1.serializer_utils.integrations import S3ConfigSerializer
+from api.v1.serializers import ImageProviderSecret
class TestS3ConfigSerializer:
@@ -98,3 +99,37 @@ class TestS3ConfigSerializer:
serializer = S3ConfigSerializer(data=data)
assert not serializer.is_valid()
assert "output_directory" in serializer.errors
+
+
+class TestImageProviderSecret:
+ """Test cases for ImageProviderSecret validation."""
+
+ def test_valid_no_credentials(self):
+ serializer = ImageProviderSecret(data={})
+ assert serializer.is_valid()
+
+ def test_valid_token_only(self):
+ serializer = ImageProviderSecret(data={"registry_token": "tok"})
+ assert serializer.is_valid()
+
+ def test_valid_username_and_password(self):
+ serializer = ImageProviderSecret(
+ data={"registry_username": "user", "registry_password": "pass"}
+ )
+ assert serializer.is_valid()
+
+ def test_valid_token_with_username_only(self):
+ serializer = ImageProviderSecret(
+ data={"registry_token": "tok", "registry_username": "user"}
+ )
+ assert serializer.is_valid()
+
+ def test_invalid_username_without_password(self):
+ serializer = ImageProviderSecret(data={"registry_username": "user"})
+ assert not serializer.is_valid()
+ assert "non_field_errors" in serializer.errors
+
+ def test_invalid_password_without_username(self):
+ serializer = ImageProviderSecret(data={"registry_password": "pass"})
+ assert not serializer.is_valid()
+ assert "non_field_errors" in serializer.errors
diff --git a/api/src/backend/api/tests/test_utils.py b/api/src/backend/api/tests/test_utils.py
index 236cbf87a2..24c051717d 100644
--- a/api/src/backend/api/tests/test_utils.py
+++ b/api/src/backend/api/tests/test_utils.py
@@ -24,6 +24,7 @@ from prowler.providers.cloudflare.cloudflare_provider import CloudflareProvider
from prowler.providers.gcp.gcp_provider import GcpProvider
from prowler.providers.github.github_provider import GithubProvider
from prowler.providers.iac.iac_provider import IacProvider
+from prowler.providers.image.image_provider import ImageProvider
from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
from prowler.providers.m365.m365_provider import M365Provider
from prowler.providers.mongodbatlas.mongodbatlas_provider import MongodbatlasProvider
@@ -122,6 +123,7 @@ class TestReturnProwlerProvider:
(Provider.ProviderChoices.ALIBABACLOUD.value, AlibabacloudProvider),
(Provider.ProviderChoices.CLOUDFLARE.value, CloudflareProvider),
(Provider.ProviderChoices.OPENSTACK.value, OpenstackProvider),
+ (Provider.ProviderChoices.IMAGE.value, ImageProvider),
],
)
def test_return_prowler_provider(self, provider_type, expected_provider):
@@ -188,6 +190,47 @@ class TestProwlerProviderConnectionTest:
assert isinstance(connection.error, Provider.secret.RelatedObjectDoesNotExist)
assert str(connection.error) == "Provider has no secret."
+ @patch("api.utils.return_prowler_provider")
+ def test_prowler_provider_connection_test_image_provider(
+ self, mock_return_prowler_provider
+ ):
+ """Test connection test for Image provider with credentials."""
+ provider = MagicMock()
+ provider.uid = "docker.io/myns/myimage:latest"
+ provider.provider = Provider.ProviderChoices.IMAGE.value
+ provider.secret.secret = {
+ "registry_username": "user",
+ "registry_password": "pass",
+ "registry_token": "tok123",
+ }
+ mock_return_prowler_provider.return_value = MagicMock()
+
+ prowler_provider_connection_test(provider)
+ mock_return_prowler_provider.return_value.test_connection.assert_called_once_with(
+ image="docker.io/myns/myimage:latest",
+ raise_on_exception=False,
+ registry_username="user",
+ registry_password="pass",
+ registry_token="tok123",
+ )
+
+ @patch("api.utils.return_prowler_provider")
+ def test_prowler_provider_connection_test_image_provider_no_creds(
+ self, mock_return_prowler_provider
+ ):
+ """Test connection test for Image provider without credentials."""
+ provider = MagicMock()
+ provider.uid = "alpine:3.18"
+ provider.provider = Provider.ProviderChoices.IMAGE.value
+ provider.secret.secret = {}
+ mock_return_prowler_provider.return_value = MagicMock()
+
+ prowler_provider_connection_test(provider)
+ mock_return_prowler_provider.return_value.test_connection.assert_called_once_with(
+ image="alpine:3.18",
+ raise_on_exception=False,
+ )
+
class TestGetProwlerProviderKwargs:
@pytest.mark.parametrize(
@@ -336,6 +379,123 @@ class TestGetProwlerProviderKwargs:
}
assert result == expected_result
+ def test_get_prowler_provider_kwargs_image_provider_registry_url(self):
+ """Test that Image provider with a registry URL gets 'registry' kwarg."""
+ provider_uid = "docker.io/myns"
+ secret_dict = {
+ "registry_username": "user",
+ "registry_password": "pass",
+ }
+ secret_mock = MagicMock()
+ secret_mock.secret = secret_dict
+
+ provider = MagicMock()
+ provider.provider = Provider.ProviderChoices.IMAGE.value
+ provider.secret = secret_mock
+ provider.uid = provider_uid
+
+ result = get_prowler_provider_kwargs(provider)
+
+ expected_result = {
+ "registry": provider_uid,
+ "registry_username": "user",
+ "registry_password": "pass",
+ }
+ assert result == expected_result
+
+ def test_get_prowler_provider_kwargs_image_provider_image_ref(self):
+ """Test that Image provider with a full image reference gets 'images' kwarg."""
+ provider_uid = "docker.io/myns/myimage:latest"
+ secret_dict = {
+ "registry_username": "user",
+ "registry_password": "pass",
+ }
+ secret_mock = MagicMock()
+ secret_mock.secret = secret_dict
+
+ provider = MagicMock()
+ provider.provider = Provider.ProviderChoices.IMAGE.value
+ provider.secret = secret_mock
+ provider.uid = provider_uid
+
+ result = get_prowler_provider_kwargs(provider)
+
+ expected_result = {
+ "images": [provider_uid],
+ "registry_username": "user",
+ "registry_password": "pass",
+ }
+ assert result == expected_result
+
+ def test_get_prowler_provider_kwargs_image_provider_dockerhub_image(self):
+ """Test that Image provider with a short DockerHub image gets 'images' kwarg."""
+ provider_uid = "alpine:3.18"
+ secret_dict = {}
+ secret_mock = MagicMock()
+ secret_mock.secret = secret_dict
+
+ provider = MagicMock()
+ provider.provider = Provider.ProviderChoices.IMAGE.value
+ provider.secret = secret_mock
+ provider.uid = provider_uid
+
+ result = get_prowler_provider_kwargs(provider)
+
+ expected_result = {"images": [provider_uid]}
+ assert result == expected_result
+
+ def test_get_prowler_provider_kwargs_image_provider_filters_falsy_secrets(self):
+ """Test that falsy secret values are filtered out for Image provider."""
+ provider_uid = "docker.io/myns/myimage:latest"
+ secret_dict = {
+ "registry_username": "",
+ "registry_password": "",
+ }
+ secret_mock = MagicMock()
+ secret_mock.secret = secret_dict
+
+ provider = MagicMock()
+ provider.provider = Provider.ProviderChoices.IMAGE.value
+ provider.secret = secret_mock
+ provider.uid = provider_uid
+
+ result = get_prowler_provider_kwargs(provider)
+
+ expected_result = {"images": [provider_uid]}
+ assert result == expected_result
+
+ def test_get_prowler_provider_kwargs_image_provider_ignores_mutelist(self):
+ """Test that Image provider does NOT receive mutelist_content.
+
+ Image provider uses Trivy's built-in mutelist logic, so it should not
+ receive mutelist_content even when a mutelist processor is configured.
+ """
+ provider_uid = "docker.io/myns/myimage:latest"
+ secret_dict = {
+ "registry_username": "user",
+ "registry_password": "pass",
+ }
+ secret_mock = MagicMock()
+ secret_mock.secret = secret_dict
+
+ mutelist_processor = MagicMock()
+ mutelist_processor.configuration = {"Mutelist": {"key": "value"}}
+
+ provider = MagicMock()
+ provider.provider = Provider.ProviderChoices.IMAGE.value
+ provider.secret = secret_mock
+ provider.uid = provider_uid
+
+ result = get_prowler_provider_kwargs(provider, mutelist_processor)
+
+ assert "mutelist_content" not in result
+ expected_result = {
+ "images": [provider_uid],
+ "registry_username": "user",
+ "registry_password": "pass",
+ }
+ assert result == expected_result
+
def test_get_prowler_provider_kwargs_unsupported_provider(self):
# Setup
provider_uid = "provider_uid"
diff --git a/api/src/backend/api/utils.py b/api/src/backend/api/utils.py
index 6d8cb3f99b..d856bd5e6a 100644
--- a/api/src/backend/api/utils.py
+++ b/api/src/backend/api/utils.py
@@ -28,6 +28,7 @@ if TYPE_CHECKING:
from prowler.providers.gcp.gcp_provider import GcpProvider
from prowler.providers.github.github_provider import GithubProvider
from prowler.providers.iac.iac_provider import IacProvider
+ from prowler.providers.image.image_provider import ImageProvider
from prowler.providers.kubernetes.kubernetes_provider import KubernetesProvider
from prowler.providers.m365.m365_provider import M365Provider
from prowler.providers.mongodbatlas.mongodbatlas_provider import (
@@ -83,6 +84,7 @@ def return_prowler_provider(
| GcpProvider
| GithubProvider
| IacProvider
+ | ImageProvider
| KubernetesProvider
| M365Provider
| MongodbatlasProvider
@@ -95,7 +97,7 @@ def return_prowler_provider(
provider (Provider): The provider object containing the provider type and associated secrets.
Returns:
- AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: The corresponding provider class.
+ AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: The corresponding provider class.
Raises:
ValueError: If the provider type specified in `provider.provider` is not supported.
@@ -159,6 +161,10 @@ def return_prowler_provider(
from prowler.providers.openstack.openstack_provider import OpenstackProvider
prowler_provider = OpenstackProvider
+ case Provider.ProviderChoices.IMAGE.value:
+ from prowler.providers.image.image_provider import ImageProvider
+
+ prowler_provider = ImageProvider
case _:
raise ValueError(f"Provider type {provider.provider} not supported")
return prowler_provider
@@ -219,11 +225,29 @@ def get_prowler_provider_kwargs(
# clouds_yaml_content, clouds_yaml_cloud and provider_id are validated
# in the provider itself, so it's not needed here.
pass
+ elif provider.provider == Provider.ProviderChoices.IMAGE.value:
+ # Detect whether uid is a registry URL (e.g. "docker.io/andoniaf") or
+ # a concrete image reference (e.g. "docker.io/andoniaf/myimage:latest").
+ from prowler.providers.image.image_provider import ImageProvider
+
+ if ImageProvider._is_registry_url(provider.uid):
+ prowler_provider_kwargs = {
+ "registry": provider.uid,
+ **{k: v for k, v in prowler_provider_kwargs.items() if v},
+ }
+ else:
+ prowler_provider_kwargs = {
+ "images": [provider.uid],
+ **{k: v for k, v in prowler_provider_kwargs.items() if v},
+ }
if mutelist_processor:
mutelist_content = mutelist_processor.configuration.get("Mutelist", {})
- # IaC provider doesn't support mutelist (uses Trivy's built-in logic)
- if mutelist_content and provider.provider != Provider.ProviderChoices.IAC.value:
+ # IaC and Image providers don't support mutelist (both use Trivy's built-in logic)
+ if mutelist_content and provider.provider not in (
+ Provider.ProviderChoices.IAC.value,
+ Provider.ProviderChoices.IMAGE.value,
+ ):
prowler_provider_kwargs["mutelist_content"] = mutelist_content
return prowler_provider_kwargs
@@ -240,6 +264,7 @@ def initialize_prowler_provider(
| GcpProvider
| GithubProvider
| IacProvider
+ | ImageProvider
| KubernetesProvider
| M365Provider
| MongodbatlasProvider
@@ -253,7 +278,7 @@ def initialize_prowler_provider(
mutelist_processor (Processor): The mutelist processor object containing the mutelist configuration.
Returns:
- AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: An instance of the corresponding provider class
+ AlibabacloudProvider | AwsProvider | AzureProvider | CloudflareProvider | GcpProvider | GithubProvider | IacProvider | ImageProvider | KubernetesProvider | M365Provider | MongodbatlasProvider | OpenstackProvider | OraclecloudProvider: An instance of the corresponding provider class
initialized with the provider's secrets.
"""
prowler_provider = return_prowler_provider(provider)
@@ -296,6 +321,22 @@ def prowler_provider_connection_test(provider: Provider) -> Connection:
"raise_on_exception": False,
}
return prowler_provider.test_connection(**openstack_kwargs)
+ elif provider.provider == Provider.ProviderChoices.IMAGE.value:
+ image_kwargs = {
+ "image": provider.uid,
+ "raise_on_exception": False,
+ }
+ if prowler_provider_kwargs.get("registry_username"):
+ image_kwargs["registry_username"] = prowler_provider_kwargs[
+ "registry_username"
+ ]
+ if prowler_provider_kwargs.get("registry_password"):
+ image_kwargs["registry_password"] = prowler_provider_kwargs[
+ "registry_password"
+ ]
+ if prowler_provider_kwargs.get("registry_token"):
+ image_kwargs["registry_token"] = prowler_provider_kwargs["registry_token"]
+ return prowler_provider.test_connection(**image_kwargs)
else:
return prowler_provider.test_connection(
**prowler_provider_kwargs,
diff --git a/api/src/backend/api/v1/serializers.py b/api/src/backend/api/v1/serializers.py
index 18619a2384..babc1d95bc 100644
--- a/api/src/backend/api/v1/serializers.py
+++ b/api/src/backend/api/v1/serializers.py
@@ -1528,6 +1528,8 @@ class BaseWriteProviderSecretSerializer(BaseWriteSerializer):
)
elif provider_type == Provider.ProviderChoices.OPENSTACK.value:
serializer = OpenStackCloudsYamlProviderSecret(data=secret)
+ elif provider_type == Provider.ProviderChoices.IMAGE.value:
+ serializer = ImageProviderSecret(data=secret)
else:
raise serializers.ValidationError(
{"provider": f"Provider type not supported {provider_type}"}
@@ -1702,6 +1704,30 @@ class OpenStackCloudsYamlProviderSecret(serializers.Serializer):
resource_name = "provider-secrets"
+class ImageProviderSecret(serializers.Serializer):
+ registry_username = serializers.CharField(required=False)
+ registry_password = serializers.CharField(required=False)
+ registry_token = serializers.CharField(required=False)
+
+ class Meta:
+ resource_name = "provider-secrets"
+
+ def validate(self, attrs):
+ token = attrs.get("registry_token")
+ username = attrs.get("registry_username")
+ password = attrs.get("registry_password")
+ if not token:
+ if username and not password:
+ raise serializers.ValidationError(
+ "registry_password is required when registry_username is provided."
+ )
+ if password and not username:
+ raise serializers.ValidationError(
+ "registry_username is required when registry_password is provided."
+ )
+ return attrs
+
+
class AlibabaCloudProviderSecret(serializers.Serializer):
access_key_id = serializers.CharField()
access_key_secret = serializers.CharField()
diff --git a/api/src/backend/tasks/jobs/export.py b/api/src/backend/tasks/jobs/export.py
index c2a947d249..4b8498f7e7 100644
--- a/api/src/backend/tasks/jobs/export.py
+++ b/api/src/backend/tasks/jobs/export.py
@@ -137,6 +137,7 @@ COMPLIANCE_CLASS_MAP = {
# IaC provider doesn't have specific compliance frameworks yet
# Trivy handles its own compliance checks
],
+ "image": [],
"oraclecloud": [
(lambda name: name.startswith("cis_"), OracleCloudCIS),
(lambda name: name.startswith("csa_"), OracleCloudCSA),
diff --git a/poetry.lock b/poetry.lock
index 092d6351fe..abc498d59f 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.1.2 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.1.1 and should not be changed by hand.
[[package]]
name = "about-time"
@@ -4874,7 +4874,7 @@ description = "C parser in Python"
optional = false
python-versions = ">=3.8"
groups = ["main", "dev"]
-markers = "implementation_name != \"PyPy\" and platform_python_implementation != \"PyPy\""
+markers = "platform_python_implementation != \"PyPy\" and implementation_name != \"PyPy\""
files = [
{file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"},
{file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"},
diff --git a/prowler/lib/check/checks_loader.py b/prowler/lib/check/checks_loader.py
index dab5535d77..bc1ea937be 100644
--- a/prowler/lib/check/checks_loader.py
+++ b/prowler/lib/check/checks_loader.py
@@ -22,8 +22,8 @@ def load_checks_to_execute(
) -> set:
"""Generate the list of checks to execute based on the cloud provider and the input arguments given"""
try:
- # Bypass check loading for IAC provider since it uses Trivy directly
- if provider == "iac":
+ # Bypass check loading for providers that use Trivy directly
+ if provider in ("iac", "image"):
return set()
# Local subsets
diff --git a/prowler/lib/outputs/finding.py b/prowler/lib/outputs/finding.py
index 82f64850f8..2c2d5a61f2 100644
--- a/prowler/lib/outputs/finding.py
+++ b/prowler/lib/outputs/finding.py
@@ -384,10 +384,12 @@ class Finding(BaseModel):
output_data["auth_method"] = provider.auth_method
output_data["account_uid"] = "image"
output_data["account_name"] = "image"
- output_data["resource_name"] = getattr(
- check_output, "resource_name", ""
+ image_name = getattr(check_output, "resource_name", "")
+ image_sha = getattr(check_output, "image_sha", "")
+ output_data["resource_name"] = image_name
+ output_data["resource_uid"] = (
+ f"{image_name}:{image_sha}" if image_sha else image_name
)
- output_data["resource_uid"] = getattr(check_output, "resource_id", "")
output_data["region"] = getattr(check_output, "region", "container")
output_data["package_name"] = getattr(check_output, "package_name", "")
output_data["installed_version"] = getattr(
diff --git a/prowler/lib/outputs/html/html.py b/prowler/lib/outputs/html/html.py
index 779fa2d776..26ee798021 100644
--- a/prowler/lib/outputs/html/html.py
+++ b/prowler/lib/outputs/html/html.py
@@ -930,6 +930,56 @@ class HTML(Output):
)
return ""
+ @staticmethod
+ def get_image_assessment_summary(provider: Provider) -> str:
+ """
+ get_image_assessment_summary gets the HTML assessment summary for the Image provider
+
+ Args:
+ provider (Provider): the Image provider object
+
+ Returns:
+ str: the HTML assessment summary
+ """
+ try:
+ if provider.registry:
+ target_info = f"Registry URL: {provider.registry}"
+ else:
+ target_info = f'Images: {", ".join(provider.images)}'
+
+ return f"""
+
+
+
+
+
+ -
+ Image authentication method: {provider.auth_method}
+
+
+
+
+
+
+
+ -
+ Registry URL: myregistry.io
+
+
+
+
+
+
+
+ -
+ Image authentication method: Docker login
+
+
+
+
+
+
+
+ -
+ Images: nginx:latest, alpine:3.18
+
+
+
+
+
+
+
+ -
+ Image authentication method: No auth
+
+
+
+